Product architecture
How Vitala Health works
A unified Next.js + Supabase stack collapses booking, payments, clinical care, and longitudinal health data into a single HIPAA-conscious system with role-scoped access at every layer.
Identity
Supabase Auth with RLS policies enforced in the database.
Booking engine
Availability + service catalog + payment in one flow.
Health data
Orthanc DICOM ingestion pipeline to longitudinal store.
Compliance
Audit log, encryption-at-rest, least-privilege keys.
Request flow
Client
Next.js SSR
Edge auth
JWT + role claims
API layer
Server functions
RLS gate
Policy check
Postgres
Encrypted store
Booking rules engine
- 1Resolve service → required practitioner skills + duration
- 2Query availability windows across practitioner calendars
- 3Apply policy filters (lead time, capacity, prerequisites)
- 4Reserve slot atomically with optimistic lock
- 5Generate payment intent → confirm or release
- 6Emit events to reminders + automation webhooks
Health data pipeline
Orthanc DICOM │ ▼ [Ingestion worker] ──► Parse + normalize │ ▼ [Validation] ──► PHI tagging + dedupe │ ▼ [Patient store] ◄── RLS: patient_id = auth.uid() │ ▼ [Visualization] ──► Trend charts + alerts
Role-based access matrix
| Resource | Patient | Staff | Admin |
|---|---|---|---|
| Own profile | ✓ read/write | ✓ read | ✓ read/write |
| Appointments | Own only | Assigned only | All |
| Clinical notes | Own (read) | Assigned (write) | All (read) |
| Health records | Own only | Assigned only | — |
| Services & pricing | — | Read | Read/write |
| Audit log | — | — | Read |